如何向Windows用户添加声明

Question

I have a dotnet core api app with windows app enabled. We have bunch of users which have special permission 'admin' and are stored in database, rest all have default permission 'user'. I want users to have extra claims who all are in database. Also I want to store more information like emailid, employee number(which I have to query from LDAP manually)

What I thought is I will have one api, say api/auth which will capture the current user and add claims based on database and ldap query and other api end points can use it.

But I am not able to get how to add and persist claims between different api end points.

Is it possible, and or is it a good way? I have second option to hit the database on each api call.

Edit 1: I have written a middleware which intercepts all api request and searches LDAP/database, creates an ClaimsIndentity and add it to Users.Identity . Then it is available through rest of the call.

Edit 2: When I am @Ondra Starenko's answer, I am not able to reference IClaimsTransformer or app.UseClaimsTransformation . Is there something else I need to include.

Platform: .NET core 2.1.3

Answer 1

You can add Claims to windows user in the ClaimsTransformer class.

public class ClaimsTransformer : IClaimsTransformer
{
   public Task<ClaimsPrincipal> TransformAsync(ClaimsTransformationContext context)
   {
      //add new claim
      var ci = (ClaimsIdentity) context.Principal.Identity;
      var c = new Claim(ClaimTypes.Role, "admin");
      ci.AddClaim(c);

      return Task.FromResult(context.Principal);
   }
}

And add this line to Startup:

app.UseClaimsTransformation(o => new ClaimsTransformer().TransformAsync(o));

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
   loggerFactory.AddConsole(LogLevel.Debug);
   loggerFactory.AddDebug();

   app.UseClaimsTransformation(o => new ClaimsTransformer().TransformAsync(o));

   app.UseStaticFiles();

   app.UseMvc();
}

For more information see this: add claims to windows identity .

Answer 2

In .NET Core 2+ IClaimsTransformer has been deprecated. Instead use IClaimsTransformation:

using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication;

public class ClaimsTransformer : IClaimsTransformation
{ 
    public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
    {
        var ci = (ClaimsIdentity) principal.Identity;
        var c = new Claim(ci.RoleClaimType, "Admin");
        ci.AddClaim(c);
        return Task.FromResult(principal);
    }
}

Also note that you should not use "ClaimTypes.Role". You should use ci.RoleClaimType - Especially if you have Windows Authentication enabled. Under Windows Authentication ci.RoleClaimType evaluates to some string value that will get picked up correctly as a role, whereas ClaimTypes.Role will not.

Finally inject your ClaimsTransformer by adding it to the ConfigureServices method of Startup.cs:

services.AddSingleton<IClaimsTransformation, ClaimsTransformer>();

You should now be able to add Role based Authorization attributes to your Controller methods and these will now be evaluated correctly:

[Authorize(Roles = "Admin")]
[HttpGet("[action]/{id}")]        
public User GetUser([FromRoute] int id)
{
    UserLogic ul = new UserLogic();
    return ul.GetUser(id);
}